- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 26 Apr 2007 09:34:41 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
On 2007-04-24 12:12:35 -0700, Jonas Sicking wrote: > So this puts two requirements on the algorithm. First of all we > can't simply merge whatever lists are in the headers with the > lists produced by the PIs in the page. Second, we need an > explicit way to deny access, not just exclude from the accept > list. I think we'd need some *very* good arguments why that is desirable. The current algorithm is, in fact, deliberately designed *not* to deny access in addition to what the browser's default sandbox does. The point here is that this directive is really only enforced in the browser. If a resource author thinks they can reliably protect themselves from cross-site access by throwing in an additional "deny" (and possibly make that part of their security analysis), then that's an exercise in self-delusion: Deployment of the access-control header or processing instruction will be far from universal for a long time (assuming it ever even gets close to being universal). I don't think the spec should be designed in a way that suggests that such a use of the access-control mechanism (maybe it should really be called an access-grant mechanism, btw) is either safe, reliable, or useful. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Thursday, 26 April 2007 09:14:29 UTC